RAS-E. Industrial router & RAS server & firewall. User manual Document reference :

RAS-E

Industrial router & RAS server & firewall

The RAS-E router is manufactured by

ETIC TELECOM

38240 MEYLAN FRANCE

:

TEL : + 33 4-76-04-20-00 FAX : + 33 4-76-04-20-01 E-mail : [email protected]

CONTENT

OVERVIEW

1 PRODUCTS IDENTIFICATION... 7

2 PRODUCT PRESENTATION... 8

2.1 Overview ... 8

2.2 Applications... 9

2.3 Main features ... 11

3 TECHNICAL DATA... 13

INSTALLATION

1.1 Connectors ... 19

1.2 DIP-switches & push-button ... 21

2 VENTILATION... 21

3 SUPPLY VOLTAGE... 21

4 ETHERNET PORTS... 21

5 RS232 INTERFACE ... 22

6 RS485 INTERFACE ... 22

7 DIGITAL INPUT & OUTPUT CONNECTION... 23

SETUP

2 CONFIGURING THE RAS-E ROUTER ... 26

CONTENT

…

SETUP

3 REBOOTING THE ROUTER AFTER PARAMETERS CHANGES ... 29

4 RECOVERING THE FACTORY LAN IP ADDRESS ... 30

5 RECOVERING THE FACTORY CONFIGURATION ... 30

6 RESTRICTING ACCESS TO THE ADMINISTRATION SERVER ... 30

7 RECOVERING A FREE ACCESS TO THE ADMINISTRATION SERVER ... 31

8 FACTORY CONFIGURATION... 31

9 LAN INTERFACE... 32

9.1 IP protocol ... 33

9.2 DHCP server ... 33

10 WAN INTERFACE... 35

10.1 IP protocol menu... 35

10.2 “Control” menu ... 36

11 CREATING VPN CONNECTIONS BETWEEN ROUTERS ... 37

11.1 Principles ... 37

11.2 IPSec VPN connections... 39

11.3 TLS VPN connections... 45

12 ROUTING FUNCTIONS ... 51

12.1 Basic routing function... 51

12.2 Static routes ... 52

12.3 RIP protocol... 53

13 ADDRESS AND PORT TRANSLATION ... 54

13.1 Port forwarding ... 54

CONTENT

…

SETUP

15 REMOTE USERS CONNECTIONS ... 57

15.1 Principles ... 57

15.2 Configuring a TLS connection... 58

15.3 Configuring a PPTP connection ... 61

16 M2ME_CONNECT SERVICE... 62

16.1 Overview ... 62

16.2 Configuring a M2Me_Connect connection ... 63

17 USERS LIST... 65

18 FIREWALL ... 68

18.1 Overview ... 68

18.2 Main filter ... 70

18.3 Remote users filters... 74

19 SERIAL TO IP GATEWAY... 79

19.1 Modbus menu... 80

19.2 RAW TCP gateway ... 83

19.3 RAW UDP gateway... 85

20 USB TO IP GATEWAY ... 87

20.1 Principles ... 87

20.2 Configuration... 88

21 ADVANCED FUNCTIONS ... 89

21.1 Adding a certificate... 89

CONTENT

DIAGNOSTIC & MAINTENANCE

1 DIAGNOSTIC ... 93 2 SAVING THE PARAMETERS TO A FILE ... 94 3 UPDATING THE FIRMWARE... 95

Appendix 1 : html server overview Appendix 2 : VPN technology

Appendix 3 : Information which has to be collected to setup the connection to the M2Me_Connect service

OVERVIEW

1 Products identification

RAS-E- 1400 1201 1220 1230

IP router • • • •

Firewall SPI • • • •

Remote access server - 25 users • • • •

M2Me_Connect compatibility • • • •

25 VPN IPSEC & SSL • • • •

Serial gateway Raw - - - -

Serial gateway (Raw TCP and UDP, Telnet,

Modbus, Unitelway - - • •

USB gateway - • - -

RJ45 10 / 100 BT 4 2 2 2

USB host - 1 - -

RS232 - - 1 2

RS485 - - 1 -

IP router • • • •

NAT • • • •

Port forwarding • • • •

SNMP • • • •

DNS • • • •

DHCP client or server on the LAN interface • • • •

Digital input for alarm emails 1 1 1 1

HTML setup • • • •

IO Viewer : optional dynamic data html server • • • •

The sign • means the function is provided The sign - means the function is not provided

OVERVIEW

2 Product presentation

The RAS-E is a security product designed to interconnect safely industrial devices with an IP network like a factory or a company network or

Internet.

The RAS-E comes with two interfaces : The LAN interface :

It is made to connect the industrial devices. Depending on the model, it includes

4 Ethernet ports

or 2 Ethernet and 2 serial ports or 2 Ethernet and 1 USB port. The WAN interface :

It is a 10/100 BT interface to connect the RAS-E to a company network or a provider network or the Internet.

VPN can be set on that interface between the RAS-E and other routers (25 VPN max.) or between the RAS-E and remote users (25 users max.)

10 / 100 BT

1 2

3 4

WAN interface 1 X RJ45 10/100 BT

SAFE LINK LAN interface

4 X RJ45 10/100 BT or 2 X RJ45 & 2 serial ports

The RAS-E is at the same time an IP router, a VPN client or a VPN server, a remote access server (RAS) and a stateful inspection firewall.

OVERVIEW 2.2 Applications

That features in the same product make the RAS-E a top level solution to connect safely a machine to a company network and to provide a secure remote access to the machine.

Safe connection of a machine to a company network :

Machine

Router Firewall RAS

Factory company

network

IPL-E RAS-E IP routing

VPN M2Me_Secure

Remote maintenance ;

Machine

RAS Router Firewall

R

Intranet

VPN

IP routing

OVERVIEW

Remote maintenance through the M2Me_Connect service :

Machine

RAS Router Firewall

Internet R

Intranet

VPN

IP routing M2Me_Connect

OVERVIEW

2.3 Main features

The RAS-E router provides the functions hereafter :

Some features are provided only on particular models. IP router

The RAS-E firewall-router provides powerful, flexible and comprehensive solutions to route IP packets between the LAN and the WAN interface. VPNs client or server

The RAS-E router is able to establish safe VPN tunnels.

Once a VPN is established between two RAS-E routers , each IP device connected to the first RAS-E can exchange IP packets with any device connected to the other RAS-E.

The VPN mechanism ensures at the same time end-points authentication, data integrity and confidentiality.

The RAS-E router is able to establish up to 25 IPSec or TLS – SSL VPNs. Authentication can be carried-out with a pre-shared key or with a

certificate. SPI Firewall

The RAS-E incorporates a stateful inspection firewall.

It is able to check source and destination IP addresses and port numbers for data coming the from the WAN interface or from the LAN interface.

Remote access server

Remote users are authenticated, an IP address belonging to the LAN interface is automatically assigned to their PC.

Moreover, The traffic coming from the PC of each remote user is filtered according to the remote user identity.

OVERVIEW

Serial gateway *

The product includes an asynchronous (RS232-RS485) to IP gateway, enabling to connect asynchronous or USB devices directly and safely to the Ethernet network.

DHCP client or server

DHCP is a standard Internet protocol that enables a DHCP server to dynamically distribute IP addresses and configuration information to the DHCP clients.

The RAS-E can be a DHCP client or server on its LAN interface or a DHCP client on its WAN interface.

Emails – sms

An email (or SMS) can be sent each time one on the two digital inputs is opened or closed.

SNMP

The RAS-E router is an SNMP agent. Html and DIP switches configuration The RAS-E is configured with a web server .

Two DIP switches allow to assign an IP address to the RAS-E over the LAN interface : DHCP client or server, factory IP address or stored IP address.

EticFinder ™ software

The ETICFinder software is delivered with the product.

It detects the ETIC products connected to an Ethernet interface and displays the MAC address and the iP address of each product. M2Me_Secure ™ VPN client software

M2Me_Secure is a TLS client able to register up to 100 VPN connections the user can set on a click.

* That feature is provided only on particular models; see the Product Identification table above

OVERVIEW

3 Technical data

Car

General characteristics

Dimensions 137 x 48 x 116 mm (h, l, p) Electrical safety EN 60950- UL 1950

EMC

ESD : EN61000-4-2 : Discharge 6 KV RF field : EN61000-4-3 : 10V/m < 2 GHz Fast transient : EN61000-4-4

Surge voltage : EN61000-4-5 : 4KV line / earth

RoHS 2002/95/CE (RoHS)

Supply voltage 10 to 30 VDC – 170 mA at 24 VDC Operating T° -20°C / + 60°C Humidity 5 – 95 %

Throughput Between the WAN interface and the LAN interface : IP router : 10 Mb/s VPN : 2 Mb/s

Ethernet / IP router

Ethernet 10/100 BT – 2 or 4 switched ports

IP router Remote connections- static routes – RIP V2

IP address translation

Source IP @ translation (NAT) Destination IP @ translation (DNAT) Port translation (Port forwarding)

DNS Domain name

IP address assignment Fixed IP @ or DHCP client or DHCP server

Security

VPN

Client or server IPSEC or TLS/SSL Encryption 3DES

Certificate X509 or preshared key

OVERVIEW

Remote access server (RAS)

User list 25 users

Connection VPN PPTP / L2TP-IPSec / TLS Open VPN Login & password Certificate X509

M2Me VPN Compliant with the M2Me_Secure VPN client _{Compliant with the M2Me_Connect mediation service}

Alarms 3 inputs : emails

Serial interface

RS232 1200 – 115200 kb/s parity N / E / O _{RS232 or RS485 (2 wires)} USB USB host interface

Serial asynchronous to IP gateways

Modbus master and slave Raw TCP client and server Telnet

RAW UDP “multicast” unitelway

INSTALLATION

1 Product description

RAS-E-1400

RAS-E-1400

Interface Led Function

WAN VPN One VPN at least has been established WAN

LINK Blinking quickly : Data activity Lit : Interface connected, no activity

LAN Ethernet 1

to Ethernet 4

Blinking quickly : Data activity Lit : Interface connected, no activity Green : Operation

Red : Alarm

Ethernet port 1& 2

OPERATION

10 / 100 BT

1 2

RS485

3 4

1 Ethernet port 3 & 4

Not used VPN

INSTALLATION

RAS-E-1220

10 / 100 BT

1 2 RS232 RS485 Rx Tx RS485 OPERATION VPN LINK Ethernet port 1 & port 2

RX led (To IPL) TX led (From IPL) Not used SAFE LINK RAS-E-1220

Interface Led Function

WAN VPN One VPN at least has been established WAN

LINK Blinking quickly : Data activity Lit : Interface connected, no activity

LAN Ethernet 1

to Ethernet 2

Blinking quickly : Data activity Lit : Interface connected, no activity RS232 Rx Bytes received from the RS232 (to the RAS)

Tx Bytes transmitted to the RS232 (from the RAS) RS485 Rx Bytes received from the RS485 (to the RAS)

Tx Bytes transmitted to the RS485 (from the RAS) Green : Operation

INSTALLATION RAS-E-1230

Ethernet port 1 & port 2

10 / 100 BT

1 2 RS232 RX led (To IPL) TX led (From IPL) OPERATION VPN LINK Not used SAFE LINK RAS-E-1230

Interface Led Function

WAN VPN One VPN at least has been established WAN

LINK Blinking quickly : Data activity Lit : Interface connected, no activity

LAN Ethernet 1

to Ethernet 2

Blinking quickly : Data activity Lit : Interface connected, no activity RS232 Rx Bytes received from the RS232 (to the RAS)

Tx Bytes transmitted to the RS232 (from the RAS) Green : Operation

INSTALLATION RAS-E-1201

10 / 100 BT

1 2 USB RS485 VPN LINK Ethernet port 1 & port 2

Operation Backup

USB activity

10 / 100 BT

1 2

USB

usb modem Sup. V.

usb host interface WAN interface

Ethernet 10/100

LAN interfaces

Ethernet 10/100

RAS-E-1201

Interface Led Function

WAN VPN One VPN at least has been established WAN

LINK Blinking quickly : Data activity Lit : Interface connected, no activity

LAN Ethernet 1

À

Ethernet 2

Blinking quickly : Data activity Lit : Interface connected, no activity USB Data activity

Green : Operation Red : Alarm

INSTALLATION

1.1 Connectors

8 pins screw block

Supply voltage and input / output

Pin Nr Signal Function

1 Power 1 + Supply voltage input 1 : 10 to 30 Vdc 2 Power 1 - 0 V

3 Power 2 + Supply voltage input 2 : 10 to 30 Vdc 4 Power 2 - 0 V

5 3V3 + 3 VDC voltage provided by the product

6 In Input

7 F + Output + (max 50Vdc - 0,6A) 8 F - Output -

WAN RJ45 connector Ethernet 10/100 BT

Pin Nr Signal Function

1 Tx + TX polarity + 2 Tx - TX polarity - 3 Rx + Reception polarity +

4 N.C -

5 N.C -

6 Rx - Reception polarity -

7 N.C. -

8 N.C. -

LAN Ethernet RJ45 connector Ethernet 10/100 BT

Pin Nr Signal Function

1 Tx + TX polarity + 2 Tx - TX polarity - 3 Rx + Reception polarity +

4 N.C -

INSTALLATION

RS485 2 pins screw block (RAS-E-1220)

Pin Nr Signal Function

1 A RS485 polarity A 2 B RS485 polarity B

RS232 RJ45 connector

(To connect to a DCE to the RS232 port)

(RAS-E-1220 or RAS-E-1230)

Pin Nr Circuit Function

1 DTR - 108 OUT Data terminal ready 2 TD - 103 OUT Data Emission 3 RD - 104 IN Data Reception 4 DSR - 107 IN Data set ready 5 SG - 102 - Ground

6 Not used OUT -

7 CTS - 106 IN Clear to send 8 RTS - 105 OUT Request to send

RS232 : RJ45 connector (To connect a DTE to the RS232 port)

(RAS-E-1220 or RAS-E-1230)

Pin Circuit Direction Function

1 CD - 109 OUT Carrier detect 2 RD - 104 OUT _{Data Reception} 3 TD - 103 IN Data Emission 4 DTR - 108 IN Data terminal ready 5 SG - 102 - Ground

6 DSR - 107 OUT Data set ready 7 RTS - 105 IN Request to send 8 CTS - 106 OUT Clear to send

INSTALLATION

1.2 DIP-switches & push-button

DIP switches SW 1 SW 2 Management

OFF OFF The current IP@ of the product is the stored IP @

ON OFF The active IP@ of the product is the factory IP@ : 192.168.0.128

No login and password are required to access to the html server.

OFF ON The active IP@ is provided by the BOOTP or DHCP server.

ON ON Reserved

Push-button : It enables to restore the factory profile.

To restore the factory profile, switch the power on while pressing the push-button until the RUN light turns green.

Attention : Once the factory profile has been restored, the stored configuration is lost.

2 Ventilation

To avoid overheating when the ambient temperature is high, leave a 1 cm (0.5 inch) space on each side of the product.

3 Supply voltage

The supply voltage must be strictly lower than 30 VDC and higher than 10 VDC. The consumption is 170 mA at 24 VDC.

4 Ethernet ports

INSTALLATION

5 RS232 interface

The RS232 data rate can be tuned from 1200 to 115200 b/s with parity (even / odd) or no parity.

The data terminal must be less than 10 meters far from the modem. Cables can be provided to connect the product to DTE and DCE as follows :

RS232 cables (L=1m)

Code User connector Cable function CAB592 SubD 9 male To connect a DCE to the RAS-E CAB593 SubD 9 female To connect a DTE to the RAS-E CAB609 wires To connect a device providing a specific

connector

6 RS485 interface

Polarisation resistors

1 Kohm bus polarisation resistors are included inside the product.

RS485

+

-B(+) A(-)

1 KOhm 1 KOhm

IPL-E

RS485 line matching

For a several meters long connection over the RS485 local interface, it is not necessary to adapt the RS485 line.

For a longer distance, matching and polarisation resistors must be added.

INSTALLATION

7 Digital input & output connection

1 relay output is provided to indicate an alarm.

The alarm condition can be selected using the html server.

F+

F+

F-7 8

Digital output

+

-V < 48 -VDC I < 0,5 A IPL-E

3V3 In

5 6

Digital input

I max = 0,5 A

V

The electrical characteristics of the output are : Opto-isolated output

Maximum voltage : 48VDC Maximum current : 500 mA Inputs

The product features two digital inputs ; they are not isolated.

if one input is opened, an SNMP trap will be sent to the SNMP server is that function has been enabled.

CONFIGURATION

1 Set up steps

To configure the router, we advise to proceed as follows :

• Connecting a PC to the router

• Setting up the LAN interface

• Setting up the WAN interface

• Setting up VPNs

• Setting up routing and IP address translation functions

• Setting up remote users connections and the M2Me_Connect service

• Setting up the remote users list

• Setting up the serial gateway or the USB gateway

CONFIGURATION

2 Configuring the RAS-E router

Administration server address :

The administration html server is located at the LAN IP address of the router (The default address is192.168.0.128).

First setup :

For the first configuration, we advise to connect the PC directly to the LAN interface of the RAS-E router.

Setup modifications :

Modifications can be carried out from the LAN interface, or from the Internet if a firewall rule authorises to reach the administration server (not advised), or from the Internet or using a remote user connection or a VPN.

Restoring the factory IP address :

The factory IP address of the router on the LAN interface can be restored by setting the DIP switches SW01 ON and SW02 OFF.

In that position o the DIP switches, the stored configuration is not deleted.

Setting the DIP switches in that position gives also a free access to the administration server from the LAN interface.

During operations, the DIP switches must not be left in that position. Network IP address :

Later in the text, we often speak of “network address”. We mean the lowest value of the addresses of the network.

For instance, if the netmask of a network is 255.255.255.0, the network address of that network is X.Y.Z.0.

Copy and paste :

Parameters must be entered with the keyboard; they cannot be pasted. However, it can be useful to paste a string when it is long to avoid errors.

In that case, copy and paste the string, delete the last character of the pasted string, and enter it again with the keyboard.

Saving and restoring the parameters file (see the maintenance chapter)

A parameters file can only be downloaded to a product having the same firmware version. It is why, we advise to assign a name to a parameter file including the product name and the software version like for instance “myrouterfile_iplE1220_V241.bin”.

CONFIGURATION 2.2 First configuration

Step 1 : Check the DIP switches

Coming from factory, the DIP switches SW1 and SW2 are set OFF to select the stored IP address.

Coming from factory, the stored IP address is the factory IP address 192.168.0.128.

Step 2 : Create or modify the PC IP connection.

Assign to the PC an IP @ in accordance with the RAS-E IP address. For the first configuration, assign or instance 192.168.0.127 to the PC. Step 3 : Connect the PC directly to the LAN interface of the RAS-E router using any Ethernet cable (straight or cross wired).

Step 4 : Launch the navigator

Enter the LAN IP @ of the router 192.168.0.128.

CONFIGURATION

2.3 Modifying the configuration from the LAN

• If the IP @ of the RAS-E on the LAN interface is assigned by a DHCP server

Step 1 : Ensure the DIP switch SW1 is OFF and SW2 ON to select DHCP client operation.

Step 2 : Launch ETIC FINDER to detect the RAS-E address over the LAN interface.

Click the product once detected.

The Home page of the administration server is displayed. Remark :

If the home page cannot be displayed, refer below.

• If the IP @ of the RAS-E on the LAN interface is fixed

Step 1 : Ensure the DIP switch SW1 and SW2 are OFF to select the stored IP @.

Step 2 : Launch the html browser and enter the IP address assigned to the router.

Or, launch the ETICFINDER utility to detect the RAS-E address. Remark :

CONFIGURATION

2.4 Modifying the configuration from the WAN interface Coming from factory, the firewall rejects all the packets coming from the WAN to the LAN.

It is why, it is possible to reach the administration web server from the WAN interface, only if a firewall rule has been created to authorize IP packets exchanges from a WAN IP address to the LAN IP address of the router.

To reach the administration server from the WAN interface, it is also possible to set a remote user PPTP or TLS connection.

Any remote user registered in the User list can reach all the devices of the LAN interface including the router itself unless a User firewall rule has been created to prevent him from reaching the LAN IP address of the router.

3 Rebooting the router after parameters changes

• After the parameters of any page have been completed, click the « Save » button at the bottom of the page.

• After some parameters changes, the RAS-E must restart. When the configuration has been completely carried out, click the « Reboot » red button in the green bar, when displayed.

• Once the product has restarted, check the « Reboot » button has disappeared from the green bar.

To save the configuration file to a hard disk :

• Select the “maintenance” menu and then the “Save / restore” menu.

CONFIGURATION

4 Recovering the factory LAN IP address

When launching the html browser, the homepage of the html server may not be displayed; the cause may be the IP address you entered was wrong.

if the IP address you enter is wrong, you can recover the factory IP address by setting SW01 ON and SW2 OFF.

The factory IP address 192.168.0.128 will be restored as long as the SW01 and SW02 micro switch will be left in that position.

Remark :

The SW01 and SW02 must not be left in that position during operations.

5 Recovering the factory configuration

If firewall rules have been created finally preventing from reaching any IP address on the LAN interface including the router itself, it may be necessary to restore the factory configuration of the router.

To restore the RAS-E factory configuration,

• Switch OFF the power supply of RAS-E router.

• Press the push button on the top part of the RAS-E router and switch ON the power supply.

• Keep the push button pressed until the operation led turns red.

Remark : The stored configuration will be lost; the factory IP address 192.168.0.128 will be restored.

6 Restricting access to the administration server

The access to the administration server can be protected by a login and password.

To protect access to the administration server,

• Select the “Setup” menu, the “Security” menu and then the “Administration menu”.

Remark : For more simplicity, we advise to chose the login and the password of one of the remote users stored in the user list.

CONFIGURATION

7 Recovering a free access to the administration server

If the Login & or password entered to reach the administration server have been rejected, it is possible to recover a free access to the administration server from the LAN only, by setting SW01 ON and SW2 OFF.

Remark :

The factory IP address 192.168.0.128 will also automatically be restored as long as SW01 will remain ON and SW2 OFF.

During normal operations SW01 and SW02 must not be left in that position.

8 Factory configuration

Coming from factory, the router configuration is as follows :

LAN IP @ 192.168.0.128

WAN IP @ None

Default user : Login = admin ; Password = admin Admin. Web server restriction : None

Firewall :

Remote user filters Authorises any remote users belonging to the user list to reach a LAN IP address using a PPTP or TLS connection Main filter IP packets coming from the WAN interface to

the LAN are dropped

CONFIGURATION

9 LAN interface

The LAN interface is made of 4 Ethernet switched ports or of 2 Ethernet switched ports and 2 serial ports or 2 serial port and I USB port.

On that interface, the following IP addresses must be entered : The router IP address on the LAN interface *.

The IP address pool assigned to the remote users when they connect. * The administration server is located at that address.

On the LAN interface, the RAS-E can behave like a DHCP server. Remark about IP addresses assignment rules :

The RAS-E router will be able to route frames between the LAN and the WAN interface only if the IP address assigned to the network connected to the LAN interface is different from the one assigned to the WAN interface.

Moreover , the LAN IP address must be different from the remote LAN IP address

CONFIGURATION

9.1 IP protocol

• Click the « Configuration» menu and then « LAN interface» and then “IP protocol”.

“IP address” parameter :

Enter the IP address assigned to the router over the LAN interface.

That IP address will have to be entered to display the administration server of the router.

”Netmask” parameter:

Enter the IP netmask assigned to the LAN

“Start of users IP address pool” & “end of users IP addresses pool” parameters :

That parameters define the pool of addresses which will be assigned automatically to remote user’s PC when they will connect to the router.

Enter the start address and the end address. Remark :

After the LAN IP address of the router has been modified, it is necessary to reboot the unit.

If VPNs have been created, they must be launched again after the LAN IP address has been modified.

To launch the VPNs again after the LAN IP address has been modified,

• Select the « network» menu and then the « VPN » menu,

• Click the « Properties » button in front of the « type of VPN » field, and then on the “OK” button of the window entitled« VPN properties».

• Click the « Modify » button in front of the « VPN connection » field, and then on the “OK” button.

If the DHCP server is used, it must be launched again after the LAN IP address has been modified.

CONFIGURATION

Over the LAN interface, the RAS-E router can behave like a DHCP server.

• To configure the DHCP server function, select the « Setup» menu and then « LAN interface» and then « DHCP server ».

“Activate DHCP server” checkbox :

Select that checkbox to enable the DHCP server.

“IP address pool start” & “IP addresses pool end” parameters :

That parameters define the range of IP addresses which can be assigned by the RAS-E to the DHCP client devices.

“Netmask” & “default gateway” parameters :

Enter the netmask of the network connected to the LAN interface and the default gateway address.

“Primary DNS IP address” & “secondary DNS IP address” parameters :

Enter the IP addresses of the domain name servers.; the DHCP server will communicate that information to the DHCP client devices.

“Client MAC address” “Client IP address” table :

If a fixed IP address must be assigned to the devices connected to the LAN interface, enter the MAC address and the fixed Ip address of each of these devices.

CONFIGURATION

10 WAN interface

The WAN interface is made to connect the RAS-E router to a wide area network (WAN) like a company network or a provider network or the Internet.

VPN can be set on that interface as well between another router (TLS/SSL or IPSec) and the RAS-E, or between remote users and the RAS-E (PPTP or TLS/SSL).

10.1 IP protocol menu

• Select the « Configuration» menu and then « WAN interface» and then “IP protocol”.

“Obtain an IP address automatically” parameter :

Set that option if a DHCP server is in charge of attributing an the IP address of the WAN interface of the router.

Otherwise, enter WAN interface IP address, netmask and default gateway IP address parameters.

“IP address” & “netmask” parameters :

Enter the IP address and netmask assigned to the WAN interface of the router.

“Default gateway” parameter :

Enter the IP address of the default gateway.

”Obtain DNS IP addresses automatically” parameter : Select that option if the Domain name server IP addresses are provided automatically

CONFIGURATION

If that option is selected, the source IP address of any frame coming from a device connected to the LAN interface and routed to the WAN interface , is replaced by the router WAN IP address.

“Activate proxi-arp” checkbox :

If that checkbox is selected, the RAS-E will answer to an ARP request

• If it comes from a device connected to the LAN interface,

• and if it concerns a device belonging to the IP network connected the WAN interface.

“SMTP server” parameter :

Enter the SMTP server address (smtp.neuf.fr for instance).

That parameter has to be entered if mails have to be transmitted when an alarm occurs for instance.

“Source account email address” parameter :

Enter the mail address.

10.2 “Control” menu

In that page on can set the parameters which allow to control that the WAN interface is correctly running.

“Enable the ping control” checkbox :

Set that option if a DHCP server is in charge of attributing an the IP address of the WAN interface of the router.

Otherwise, enter WAN interface IP address, netmask and default gateway IP address parameters.

CONFIGURATION

11 Creating VPN connections between routers

A VPN tunnel is a safe link set between two end-points routers over an IP network : Both routers authenticate, data are encrypted and each device of a LAN can exchange data with each device f the other one.

To get more explanations about how VPNs work, refer to appendix 1. 25 VPNs can be set on the WAN interface of the RAS-E router. Two types of VPN can be set : TLS VPN and IPSec VPN. IPSec has the advantage to be a standard solution.

TLS is easier to employ because the transport layer is TCP or UDP; it is why, it can be easily used when the VPN must pass through several or even numerous company routers.

Once a type of VPN (TLS or IPSec) has been selected, all the VPN set with the RAS-E router will be of the same type.

Two steps are necessary to configure the RAS-E to create VPN connections between routers :

1st step : Select the VPN type and set up the VPN parameters 2 types of VPNs can be used to connect RAS-E routers together or with other type of routers: IPSec or TLS/ SSL

Once a type of VPN has be selected, it applies to all the connections with remote routers. 2nd step : Creating VPN connections

A connection can be an

CONFIGURATION

To create VPN connections between routers,

• select the « Setup» menu and then « Network» and then “V¨PN connections”.

CONFIGURATION

11.2 IPSec VPN connections

11.2.1 Configuring the IPSec protocol

• Select the “Setup” menu, the “network” menu and then ‘VPN connections”.

• Select the “Ipsec” type of VPN,

• Click “Properties” .

“ Protocol ” parameter :

CONFIGURATION

“Authentication & encryption key” parameters :

Authentication an encryption can be carried-out with a pre-shared key or a certificate. “Pre-shared key” value :

The pre-shared key value applies to all the connections. The maximum length of the key is 40 characters.

The same preshared key value will be used for remote users L2TP / IPSec connections.

“Certificate” value

The RAS-E router is delivered with a certificate stored into the product in our factory.

To add a certificate, refer to the “Security” menu.

“Encryption and hash algorithm phase 1” & “Encryption and hash algorithm phase 2” parameters :

That parameters allow to define the encryption and hash algorithms in use during the phase 1 of the exchanges between the end-points (VPN set-up) and during the phase 2 (data exchange).

The default value is Auto; in that case both end-points will negotiate a common algorithm.

“DPD request period” parameters :

A DPD request (also called Keepalive message) is a message sent periodically by each end-point to the other one to make sure that the VPN must be left active.

This parameters sets the amount of time (in seconds) between two of these requests.

“Connection death time-out” parameters :

This parameter defines the maximum amount of time (in seconds) a VPN connection will stay established if no traffic or no DPD request message are received from the remote point.

ATTENTION : Once the parameters of the IPSEC connection have been selected, click the OK button and then the Save button.

CONFIGURATION

11.2.2 Configuring an outgoing IPSec connection Remote LAN IP addr.

IP network VPN Outgoing

connection

Remote router Router

Remote WAN IP addr. WAN

IP addr. LAN

IP addr.

To set an outgoing VPN connection,

• Come back to the “VPN connections” screen,

CONFIGURATION

‘Remote WAN IP address’ parameter :

Enter the IP network address and netmask assigned to the remote router over its WAN interface..

“Remote LAN address & Remote LAN netmask” parameters :

Enter the IP network address and netmask assigned to the remote LAN.

• Preshared key

If the preshared key used by the connection is the general PSK entered in the “VPN” menu, no additional parameter has to be entered.

If a particular PSK must be used, complete the configuration of the connection as explained below.

“Unique PSK for this node” parameter :

Select that option if a particular PSK key has to be used for this connection.

“PSK value” parameter :

Enter the value of the PSK.

”My WAN address” parameter :

Enter the IP address of the router on the WAN interface.

• Certificate

“My subjectAlt name” & “Remote subjectAlt name” parameters :

Paste the field "SubjectAltName" of the active certificate of the router you are configuring and the one the remote router.

CONFIGURATION

11.2.3 Configuring an ingoing IPSec connection

VPN

LAN IP addr.

Remote router Router

Remote LAN IP addr.

Remote WAN IP addr. Ingoing

connection

WAN IP addr.

IP network

To set an ingoing VPN connection,

• Come back to the “VPN connections” screen,

CONFIGURATION

Give a name to the connection and select the “ingoing” connection direction option.

“Remote WAN IP address” parameter :

Enter the IP network address and netmask assigned to the remote router over its WAN interface.

“Remote LAN address” & “Remote LAN netmask” parameters :

Enter the IP network address and netmask assigned to the remote LAN.

• Preshared key

If the key used by the connection is the general PSK entered in the VPN menu, no additional parameter has to be entered.

If a particular PSK must be used, carry out the configuration of the connection as explained below.

“Use a specific key for this connection” parameter :

If that option is not selected, the preshared key entered in the VPN configuration screen will be used by the router.

If that option is selected, enter the specific key.

“My WAN address & Remote WAN address” parameters :

Enter the WAN IP address of the router and the WAN IP address of the remote router.

Attention : For ETIC certificates, this field is the Email field

• Certificate

“My subjectAlt name” & “Remote subjectAlt name” parameters :

Paste the field "SubjectAltName" of the active certificate of the router you are configuring and the one the remote router.

CONFIGURATION

11.3 TLS VPN connections

11.3.1 Configuring the TLS-SSL protocol

• Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu.

• Select the “TLS” VPN type and click “Properties” .

CONFIGURATION

“VPN network address” & “VPN network netmask” parameters :

The TLS VPN server router assigns automatically an IP address to the VPN client router.

That VPN IP address must not be confused with the WAN interface IP address.

Attention :

The VPN IP network address field must be different from the WAN network IP address .

The number of VPN addresses cannot be greater than 255; the netmask cannot exceed 255.255.255.0.

VPN IP addr. (Default 172.16.1.0)

VPN

“Connection death time-out” parameter :

This parameter defines the maximum amount of time (in seconds) a VPN connection will stay established before being cleared if no response to the VPN control message has been received from the remote router.

“Packet retransmit time-out” parameter:

A control message (also called Keepalive message) is sent periodically by the VPN server router to make sure that the VPN must be left active. This parameters sets the amount of time (in seconds) the server will wait for the response before repeating it.

“Encryption algorithm” & “Authentication algorithm” parameter :

That parameters allow to define the encryption and hash algorithms in use.

CONFIGURATION

11.3.2 Configuring an outgoing TLS connection Remote LAN IP addr.

IP network VPN Outgoing

connection

Remote router Router

Remote WAN IP addr. WAN

IP addr. LAN

IP addr.

• Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu.

• Click the “add a connection” button.

• Give a name to the connection and select the “Outgoing” connection direction option.

CONFIGURATION

“Login & Password” parameter:

Enter the login and password, the router will have to use to authenticate.

Remote WAN IP address / URL parameter :

Enter the IP address of the remote router or its DNS name.

“Remote WAN IP address” ” parameters :

Enter the IP network address and netmask assigned to the remote router over its WAN interface.

CONFIGURATION

11.3.3 Configuring an ingoing TLS connection

VPN

LAN IP addr.

Remote router Router

Remote LAN IP addr.

Remote WAN IP addr. Ingoing

connection

WAN IP addr.

IP network

• Select the “Setup” menu, the “network” menu and then the ‘VPN connections” menu.

CONFIGURATION

“Remote LAN address” & “Remote LAN netmask” ” parameters :

Enter the IP network address and netmask assigned to the remote LAN.

“Common name” parameters :

Enter the remote router certificate common name.

CONFIGURATION

12 Routing functions

12.1 Basic routing function

Once an iP address has been assigned to the R2 router on the LAN interface and another one on the WAN interface (see drawing hereafter), the RAS-E R2 router is ready to route frames …

… between devices connected to the remote LAN network like RL1, and devices connected to the LAN network like L1 through a VPN; … between devices connected to the WAN network like W1, and devices connected to the LAN network like L1

RL1

VPN

WAN

192.168.3.0/24

LAN 192.168.2.0/24

W1 L1

Remote WAN

192.168.4.0/24 R3 router

192.168.2.128

R2 router

192.168.3.128 192.168.4.128

192.168.5.128

Remote LAN 192.168.5.0/24

Remark 1 : Firewall rules must be set to authorize WAN to LAN transfer. Remark 2 : A default gateway address must be entered in each device of the different networks.

CONFIGURATION

12.2 Static routes

However, the router R2 is not able to route frames between a device like L1 belonging to the LAN network and a device connected to “network 6” (see the drawing hereafter).

Network 6

192.168.6.0 192.168.1.0network 1

192.168.6.24 192.168.1.24 R1 router R4 router 192.168.5.1 192.168.2.1 192.168.2.128 RL1

VPN

In that case, it is necessary to enter the route to that hidden “network 6”; that route is called a static route.

A static route consists in a table which describes a destination network (IP address and netmask) and the IP address of the neighbour router through which an IP packet to that destination must pass.

Router 2 static routes :

Active Route name Destination Netmask Gateway

Yes Network 6 192.168.6.0 255.255.255.0 192.168.5.1

Yes Network 1 192.168.1.0 255.255.255.0 192.168.2.1

Yes Network

CONFIGURATION Remark :

It is not necessary to enter in the router R2 the static route to the WAN network nor to the remote LAN network, that routes have been

automatically created by the router respectively when the WAN IP address has been entered and when the VPN has been configured. To set a static route,

• Select the “Configuration” menu, the “network” menu the “Routing” menu and then “Static routes”.

• click the “Add a route” button.

“Destination IP address” & “netmask” parameters :

Enter the destination network IP address and netmask.

“Gateway IP address” parameters :

Enter the Ip address of the gateway through which the IP packets intended for that network must pass.

12.3 RIP protocol

RIP (Routing Information Protocol) is a routing protocol which enables each router belonging to a network to acquire the routes to any subnet. The principle is as follows :

Routing table

Each router holds a routing table.

Each entry of the table consists in the destination subnet address and the adjacent router address leading to that subnet.

Routing table broadcasting : Each router broadcasts its table. Routing table update :

CONFIGURATION To enable RIP,

• select the « Setup» menu, the “Routing” menu and then the “RIP” menu».

• Select the ‘Enable RIP on LAN interface” and the “Enable RIP on WAN interface” options.

13 Address and port translation

The RAS-E provides the capability to replace the original source IP address and the destination port and IP address in particular situations.

13.1 Port forwarding

The port forwarding function consists in transferring to a particular device connected to the LAN interface a particular data flow addressed to the RAS-E router on its WAN interface.

That function applies only to the frames addressed to the WAN IP address of the router.

The transfer criteria is the port number; the port number is used as an additional address field.

When a frame is addressed to the RAS-E router with a particular registered port, it is transferred to a particular device connected to the LAN interface.

Example :

Let us suppose the PC named “W1” of the WAN network has to send frames to the device PLC1 of the LAN network

Suppose moreover that the addresses of the LAN network cannot be used on the WAN network for any reason.

The solution can be to use the Port forwarding function :

When W1 needs to transmit frames to PLC1, it addresses the frames to the RAS-E router on a chosen and agreed port.

The router checks the frame, replaces the destination address by the Ip address of the device on the LAN interface, and eventually changes the port number.

CONFIGURATION

PLC1 192.168.0.15 TCP : 102

PLC2 192.168.0.16 TCP : 502

PC 192.168.0.17 TCP : 80

62.10.10.7 TCP : 102

WAN IP addr. : 62.10.10.7

WAN network W1

The port forwarding rule will be

Internet / WAN LAN translation

Service Device Service

102 192.168.0.15 102

502 192.168.0.16 502

80 192.168.0.17 80

To set the Port forwarding function,

• select the “network” menu and then the “Port forwarding” menu.

CONFIGURATION

14 Remote users connections service

The RAS-E provides a full remote user connection function called RAS :

• The remote user authenticates using the login, password and eventually a certificate; the router accepts the connection only if the remote user belongs to the user list.

• Individual access rights are automatically allocated to the remote user.

• An IP address belonging to the LAN network is automatically assigned to the remote PC.

• Data are encrypted (TLS and L2TP / IPSec only).

• The connection is logged.

• Moreover, the RAS-E is compatible with the M2Me_Connect service when setting a direct connection is not possible.

To setup the remote user connection service, the following steps must be carried out :

• Step 1 :

Configure a PPTP or TLS or L2TP connection or select the M2Me_Connect service menu.

• Step 2 :

Complete the user list

• Step 3 ::

CONFIGURATION

15 Remote users connections

A remote user connection is a tunnel set between a remote PC and a router providing the RAS function (Remote Access Service), like the RAS-E.

A remote user connection provides security and simplicity advantages :

• The remote user is identified with a login in and password or eventually a certificate.

• The data is encrypted (TLS or L2TP).

• An IP address belonging to the local network is automatically assigned to the remote user’s PC.

The RAS-E manages PPTP and TLS or L2TP remote connections. Only one type can be selected. It will apply to all the remote users connections.

A PPTP is the simplest type of remote user connection; data is not encrypted.

The remote user can be identified only with a login and password.

A TLS connection provides encryption; moreover; the remote user can be identified with a log in and password and with a certificate if necessary.

CONFIGURATION

15.2 Configuring a TLS connection

The M2Me_Secure software provided by ETIC TELECOM is a Windows TLS client software.

Installed on a PC running Windows XP or Seven, M2Me_Secure makes TLS connections from a remote PC to the RAS-E easy; moreover it includes a connection book in such a way one just need a click to connect to a remote site.

We describe hereafter how to configure the router and the M2Me_Secure software to set a TLS VPN between both.

Step 1 : Router configuration

To configure a remote user TLS connection,

• select the “Setup” menu, the “Remote users” menu and then the “User list” menu.

CONFIGURATION

• Select the VPN type “ TLS”.

• Click the “Properties” button and set the parameters.

”Port number” & “Protocol” :

Select the port Nr and the type of level 3 protocol used to transport the TLS VPN; UDP will be preferred.

CONFIGURATION

“Remote Users authentication” parameters :

Authentication an encryption can be carried-out with a pre-shared key or a certificate.

If the “Login/password” is selected, the remote user is authenticated with a login and a password.

If the “Login/password and Certificate” value is selected, the remote PC is authenticated with the certificate and the user with a login and password. In that case, the PC certificate must be stored in the user list.

«Encryption algorithm» & «Message digest algorithm» parameters :

Leave the default values.

Step 2 : Configure the M2Me_Secure software

For detailed information, refer to the M2Me_Secure manual.

• Click « Menu » and then « New site ». The Site configuration window is displayed.

• Select the « General » tab and enter a site name.

• Select the « Connection » tab; select the option “That site can be reached through the Internet.

• In the field « Host name or IP address », select the router IP address or DynDNS name or DNS name.

• Select the « Advanced tab » ; select the level 3 protocol (UDP or TCP), the port number and the encryption algorithm.

These parameters must have the same values must in the PC and in the router.

CONFIGURATION

15.3 Configuring a PPTP connection

We describe hereafter how to configure the router and the PC to set a PPTP remote user connection between them.

Step 1 : Router configuration

• select the “Setup” menu, the “Remote users” menu and then the “User list” menu.

• Select the VPN type “ PPTP”.

Remark : The “properties” button allows to modify the authentication protocol; leave the default configuration if the PPTP client is a PC running Windows.

CONFIGURATION

16 M2Me_Connect service

The M2Me_Connect service simplifies the connection of a remote PC to a machine through the Internet.

It provides a solution when a direct PPTP or TLS connection described before shows itself impossible.

Let us take the example of a machine made of several devices forming a “machine network” and connected to a company network through an RAS-E router.

Suppose an expert wishes to connect to one or several of these devices to help repairing them or to upgrade a firmware.

The simplest solution should be to set a remote connection between the remote PC and the RAS-E through the company network, the existing Internet access in the company, and the Internet.

Several reasons make that connection difficult or impossible, but the main one is a security reason : It is generally not allowed to set an ingoing connection from a PC connected to the Internet towards a device like an RAS-E connected inside a company network.

The M2Me_Connect service solves that difficulty :

The PC does not connect directly to the RAS-E; both the PC and the router connect to the “M2Me_Connect” service.

Once both parties have been authenticated by the M2Me_Connect service with their own certificate, a TLS VPN is set from end to end from the PC to the RAS-E router.

The remote user identity is checked by the router to verify he or she belongs to the user list stored in the RAS-E router.

Finally, individual access rights are assigned to the remote user depending on his or her identity.

CONFIGURATION

16.2 Configuring a M2Me_Connect connection Step 1 : Router configuration

• Select the « Setup» menu, the « Remote users » menu, the “M2Me_Connect” menu, and then the “Connection” menu.

« Activate » parameter:

Tick the checkbox

“TCP ports” and “UDP ports” parameters :

Select the ports the router must check to set a connection to the M2Me_Connect service.

Proxy parameters :

If a proxy server is in charge of filtering IP packets transmitted towards the Internet,

select the “Use a Proxy server” option; choose either “HTTP” or “SOCK S5”;

Enter the Proxy server address, port number, Login and password.

• Test the connection

Click the “Control” menu, and press the “connect now” button.

Go to the ”Diagnostic” menu, “Network status” menu and then “M2Me”. When the connection between the router and the M2Me_Connect service

CONFIGURATION

Step 2 : Configuring the M2Me_Secure software

• Click « Menu » and then « New site ». The Site configuration window is displayed.

• Select the « General » tab and enter a site name.

• Select the « Connection » tab; select the option “That site can be reached through the Internet and the “M2Me_Connect” option.

• Enter the product key of the router; it can be pasted from the “About” menu of the router.

CONFIGURATION

17 Users list

The user list registers 25 authorised remote users forms.

Each user form stores the identity of the user (Login and password), his email address to send alarm emails and the filter assigned to him.

To display the user list,

• select the “Setup” menu, the “Remote users” menu and then the “User list” menu.

CONFIGURATION Attention :

Coming from factory, a default user is registered; his login is admin and the password is also admin. After the test phase, we advise to modify these login and password.

To add a user form

• Click the “add a user ” button

“ Active (value Yes or NO)” :

Select “No” if you want to prevent the user to access the network. Select “yes” to authorize the user to access the network.

Full name :

It is the name displayed in the user list.

Login & password

The login and the password will have to be entered by each user at the beginning of the remote connection.

CONFIGURATION

E-mail :

The RAS-E will send an email to that address in two situations :

Alarm email : the RAS-E sends an alarm email to the defined user If the input 1 is closed or opened (if that option has been set).

Internet connection email : Once connected to the Internet, the RAS-E will send to the demanding user an email containing the dynamic IP @ assigned to the RAS-E by the provider. (See OPERATION chapter).

Firewall filter : Select a filter in the list.

A filter defines a domain of the local network.

CONFIGURATION

18 Firewall

The firewall filters IP packets between the WAN and the LAN interface of the RAS-E router. It is divided in 3 particular filters :

• The remote users filters

The function of the remote users filters is to limit the IP domain an authenticated remote user can reach when he connects to the RAS-E router through the Internet.

The remote users filters filter the destination IP address and port number of the IP packets included inside a PPTP or TLS or L2TP remote user connection.

Thus the IP addresses checked by the remote users filters are LAN IP addresses.

25 remote users filters can be created and assigned individually to each of the users declared in the user list.

The source IP address of the packets is not checked by the remote users filters because the filters apply to the remote users connections according the login and password of the remote user checked when the remote user connection is set.

• The main filter

It filters IP packets whether carried inside one of the VPNs or outside a VPN.

The main filter checks source and destination IP addresses and the source and destination ports.

The main filter does not check the IP packets included in a remote user connection. That packets are checked by the remote users filter.

The main filter does not check the IP packets defined in the “Port forwarding” table. That packed are directly forwarded to the defined device (see Port forwarding).

• The deny of service filter is made to usual attacks coming from the Internet. That filter cannot be configured.

CONFIGURATION The firewall of the RAS-E firewall can thus be represented by the drawing hereafter :

VPN between routers

WAN

LAN

Users filters

Main filter

FIRE-WALL DoS filter Port

forwarding

CONFIGURATION

18.2 Main filter

The main filter applies to all the IP packets except to the ones included in remote users connections.

To recognize a TLS remote user connection, the router detects the port number.

18.2.1 Main filter Overview

• Main filter structure

For a better organisation, the main filter is divided in two tables; both having the same structure.

The “VPN” filter : It filter the packets transmitted inside the VPNs. The “WAN” filter : It filters the packets transmitted outside the VPNs Each of that two filters is made of

a filter policy and

a filter table each line of which is a filter rule

• Main filter default policy

The default policy is the decision which will be applied if a packet does not match any of the rules of the filter.

The WAN to LAN and the LAN to WAN traffic are regarded separately because the decision can be opposite for a packet coming from the WAN or coming from the LAN :

WAN to LAN : The default policy can be “Accept” or “drop”. LAN to WAN : The default policy can also be “Accept” or “drop”.

For instance, if the default policy assigned the WAN to LAN traffic is “drop”, it means that an IP packet which does not match any of the rules of the main filter will be rejected.

CONFIGURATION

• Main filter table

The main filter is a table, each line being a rule.

Each rule of the filter is composed a several fields which defines a particular data flow and another field which is called the action field. The fields which define the data flow are :

Direction (« WAN to LAN » or « LAN to WAN »), Protocol (TCP, UDP…),

IP@ & port number, source & destination. The Action field can take two values

Accept : To authorize the data flow to be forwarded to the router interface. Drop : To drop the packet which matches the rule.

• How does the main filters works

When the firewall receives a packet, it checks if it matches the first rule.. If it does, the decision is applied to the packet according to the “Action” field. If it does not, the firewall checks if it matches the second rule; and so on.

If the packet does not match any of the rules of the table, the default policy is applied to the packet (drop or reject).

CONFIGURATION

18.2.2 Configuring the main filter

Select the “Security” menu and then “Firewall” and “Main filter”.

The “Main filter” page is divided in two parts : WAN traffic rules :

The first part, entitled “WAN” traffic rules, is made to define how the IP packets not carried in a VPN, have to be filtered.

VPN traffic rules :

The second part, entitled “VPN traffic rules” allows to define how the IP packets carried inside the VPNs have to be filtered.

CONFIGURATION Configure successively the WAN traffic rules using the same method. Step 1 : Select the default policy

“LAN to WAN” parameter :

That parameter sets what the filter will decide if an IP packet coming from the LAN does not match any f the rules of the filter :

If the value “Accept” is selected, the IP packet will be transmitted to the VPN.

If the value “Drop” is selected, the IP packet will be rejected.

“WAN to LAN” parameter :

That parameter sets what the filter will decide if an IP packet coming from the WAN does not match any f the rules of the filter :

If the value “Accept” is selected, the IP packet will be transmitted to the LAN.

If the value “Drop” is selected, the IP packet will be rejected.

The cautious default policy is to choose the value “Drop”; at the opposite, if the value “Accept” is selected, a frame which does not match any of the rules of the filter is transmitted.

Step 2 : Add a rule to the filter Click the “add a rule” button.

“Direction” parameter :

Select the direction of the data flow to which the rule applies.

“Action” parameter :

Select the value “Accept” if the IP packet has to be transmitted in the selected direction.

Select the value “Drop” if the IP packet has to be rejected.

“Protocol” parameter :

CONFIGURATION

”Destination IP address” & “destination port” parameters :

Enter the value of the destination IP address and the destination port number. Select the netmask value.

18.3 Remote users filters

A remote user filter applies to the IP packets received inside a remote user connection.

25 remote user filters can be configured and assigned individually to each of the users declared in the user list.

A remote user filter is a table of destination port numbers and IP addresses belonging to the LAN network.

Once a remote user is connected to the RAS-E router, the router applies the filter assigned to him (see the remote user form).

According to his identity (Login and password, he will thus only access to the IP domain defined by the filter.

Example :

Filter name : Access to the device PLC1 (html and modbus) Filter policy : All is forbidden except what we specify

Rules list

Action Device Service

Allow PLC1 192.168.0.12 80

Allow PLC1 192.168.0.12 Modbus 502

A filter must be assigned at least to one user to become enabled.

Step 1 : Complete, if necessary, the list of services

Remark : The main services (html, ftp, modbus) are available from factory; for that reason, most of the time, that step can be skipped.

• Select the menu “system” and then “service list” The list of TCP ports is displayed.

• Click « add a service ».

• Enter the label of that the new service, assign a protocol (udp, tcp, icmp) and a port number.

CONFIGURATION Step 2 : Enter the list of devices of the LAN network

• Select the «System» menu, then «Devices list». The list of the devices of the LAN network is displayed.

• Click « add a device ».